In this entertaining presentation, read about the five most common mistakes people make during GRC projects in SAP environments.
In the world of GRC and SOX regulations, organizations must work very hard and efficiently to keep their systems clean from violations. With Xpandion's With ProfileTailor Dynamics GRC, you can identify and solve existing violations, be notified when a new violation occurs, and keep your status clean with ongoing processes.
The 5 Most Astonishing Mistakes Made During GRC Projects in SAP Environments
1. 5 Astonishing Mistakes Made During
GRC Projects
in SAP Environments
Created by Xpandion
SAP® is a registered trademark of SAP AG in Germany and in several other countries
3. Xpandion has software to quickly maintain GRC
Prevent fraud, save costs, quickly ensure SoD/SOX compliance.
•Automate in-house and outsourced auditing tasks.
•Receive alerts about unusual activities.
•Prevent security breaches, fraud and leakage of information.
•Save an average of 30% on auditing costs.
•Ensure a successful audit. Get a free demonstration of Xpandion’s ProfileTailor GRC software to see what makes Xpandion different.
4. Mistake #1:
The focus is on compensating controls, not on eliminating risk.
5. People don’t want to solve SoD conflicts either because they fear upsetting the user, or because they don’t want to pay for external consultants. Focusing on compensating controls may be “more comfortable” but it doesn’t solve risk.
6. The solution:
Focus on solving the risks. Arm yourself with management support, GRC auditors and good consultants – but don’t be tempted to add compensating controls too quickly. Each control should be inspected first and then regularly inspected to ensure it’s still valid.
7. Mistake #2:
Only Risk Assessment Managers & Auditors care about eliminating GRC risks.
8. GRC is a good thing. Its purpose is to decrease fraud and improve business processes. But, most people hate dealing with it. In the case of SOX compliance, many remove Power Users right before the audit and put them back right after. Anything to just get through. Shocking.
9. The solution:
Get organized and gain management support by working your way up the GRC project ladder.
Step 1: SoD inspection
Step 2: Narrow Power User authorizations
Step 3: Track sensitive activities usage
Step 4: Implement one- step emergency access process with auditing reports
Step 5: Implement authorization-request process
10. Mistake #3:
After go-live,
own developments are not treated properly.
11. Most people set groups of activities in the initial GRC project implementation and do not maintain them regularly, typically because they’ve forgotten about them.
This results in potential hidden violations to Segregation of Duties rules.
12. The solution:
Make it clear to management that the GRC project won’t be over at go-live as someone needs to keep an eye on the configuration, including enhancing the rule-sets according to new developments.
It’s vital to add and update groups of activities over time. Use alerting software and get an alert when new objects appear in production. Then update the rule-set accordingly.
Find out about Xpandion’s alerting software.
13. Mistake #4:
Getting a GRC solution “for free” without inspecting implementation and maintenance costs.
14. Getting a “free” GRC solution and not considering implementation time and overall costs is like getting a free, huge truck with two 48 ft. trailers and forgetting its outrageous fuel consumption and maintenance costs. It’s an expensive toy for handling regular tasks, and it could take a year and cost a fortune to even get it to your garage.
15. The solution:
It needs to be mentioned that GRC project costs are comprised much more by implementation and maintenance costs than on the initial purchase. See for yourself by asking those that chose “free” GRC solutions what the total costs of their projects were.
Ask Xpandion about cost effective GRC solutions.
You will be surprised.
17. People think that because their company is large, its rule-set should include 1,000 or even 10,000 SoD rules. Not so. This creates the need for never-ending consulting and maintenance work and decreases the chance of finishing a successful SoD project on time.
18. The solution:
Usually, only about 60 effective SoD rules are needed.
If managed properly, the main business processes are not so different between large and small enterprises. So, if SoD rules are defined well, they shouldn’t grow even if the company does.